In RSA encryption it is said that ensuring the authenticity of the public key can be as important as the protection of the private key.

An effective way of doing this is to have key custodians receiving the key (KC2) manually confirm the fingerprint of the public key with the original owner (KC1) of the public key via telephone or similar.

One could use a different public key (PK2) to sign the original public key PK1), but then the same issue arises in verifying the second public keys authenticity.

Are there any methods to avoid this manual intervention of public key verification?

2 Answers
2

You are talking about public key infrastructure. This is why certificate authorities and webs of trust exist. You have to have some trusted party to verify the certificate (public key). Verification occurs by signing the certificate using a private key that is trusted by the person the public certificate is going to be shared with.

This can either be a central trusted CA (either a third party or an internal CA for an organization which everyone agrees to trust) or it can be a web of trust where multiple people sign the certificate when they verify the information and trust is established based on how much you trust the people that signed it. The exact schemes can vary from one web of trust to another, but at the simplest, if I trust Bob and then Bob trusts Carl, I can trust Carl since Carl is signed by Bob and I trust Bob. Then if Carl trusts Dave, I can trust Dave, but perhaps a little less than I trust Carl or Bob. There is still the manual action of originally verifying Bob, but I get Carl and Dave for free.

Your browser is already populated with a trust store which includes the RSA public key. All interactions with any key issued by that CA or any of the numerous other CAs already in the trust store are, by definition, automatic.

In other words, your trust in the browser publisher has to include trust in their key store of public keys for popular CAs. This trust is not a trivial matter as there have been patches to browsers recently to remove certain CA keys (e.g. http://en.wikipedia.org/wiki/DigiNotar).

As AJ Henderston suggests, trust is not a technical matter but rather a social one. You trust Mozilla, Apple, or Microsoft and thus trust they did the due diligence to confirm the CA public keys in their products.